---
title: "Docker (legacy)"
description: "Self-host Trigger.dev on your own infrastructure using Docker."
---

<Note>This is a legacy guide for self-hosting v3 using Docker, you can find the v4 guide [here](/self-hosting/docker).</Note>

<Warning>Security, scaling, and reliability concerns are not fully addressed here. This guide is meant for evaluation purposes and won't result in a production-ready deployment.</Warning>

## Overview

<Frame>
  <img src="/images/self-hosting.png" alt="Self-hosting architecture" />
</Frame>

The self-hosting guide covers two alternative setups. The first option uses a simple setup where you run everything on one server. With the second option, the webapp and worker components are split on two separate machines.

You're going to need at least one Debian (or derivative) machine with Docker and Docker Compose installed. We'll also use Ngrok to expose the webapp to the internet.

## Support

It's dangerous to go alone! Join the self-hosting channel on our [Discord server](https://discord.gg/NQTxt5NA7s).

## Caveats

<Note>The v3 worker components don't have ARM support yet.</Note>

This guide outlines a quick way to start self-hosting Trigger.dev for evaluation purposes - it won't result in a production-ready deployment. Security, scaling, and reliability concerns are not fully addressed here.

As self-hosted deployments tend to have unique requirements and configurations, we don't provide specific advice for securing your deployment, scaling up, or improving reliability.

Should the burden ever get too much, we'd be happy to see you on [Trigger.dev cloud](https://trigger.dev/pricing) where we deal with these concerns for you.

<Accordion title="Please consider these additional warnings">
  - The [docker checkpoint](https://docs.docker.com/reference/cli/docker/checkpoint/) command is an experimental feature which may not work as expected. It won't be enabled by default. Instead, the containers will stay up and their processes frozen. They won't consume CPU but they _will_ consume RAM.
  - The `docker-provider` does not currently enforce any resource limits. This means your tasks can consume up to the total machine CPU and RAM. Having no limits may be preferable when self-hosting, but can impact the performance of other services.
  - The worker components (not the tasks!) have direct access to the Docker socket. This means they can run any Docker command. To restrict access, you may want to consider using [Docker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
  - The task containers are running with host networking. This means there is no network isolation between them and the host machine. They will be able to access any networked service on the host.
  - There is currently no support for adding multiple worker machines, but we're working on it.
</Accordion>

## Requirements

- 4 CPU
- 8 GB RAM
- Debian or derivative
- Optional: A separate machine for the worker components

You will also need a way to expose the webapp to the internet. This can be done with a reverse proxy, or with a service like Ngrok. We will be using the latter in this guide.

## Option 1: Single server

This is the simplest setup. You run everything on one server. It's a good option if you have spare capacity on an existing machine, and have no need to independently scale worker capacity.

### Server setup

Some very basic steps to get started:

1. [Install Docker](https://docs.docker.com/get-docker/)
2. [Install Docker Compose](https://docs.docker.com/compose/install/)
3. [Install Ngrok](https://ngrok.com/download)

<Accordion title="On a Debian server, you can run these commands">
```bash
# add ngrok repo
curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \
    sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \
    echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \
    sudo tee /etc/apt/sources.list.d/ngrok.list

# add docker repo
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \
    sudo chmod a+r /etc/apt/keyrings/docker.asc && \
    echo \
      "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
      $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
      sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# update and install
sudo apt-get update
sudo apt-get install -y \
    docker.io \
    docker-compose-plugin \
    ngrok
```
</Accordion>

### Trigger.dev setup

1. Clone the [Trigger.dev docker repository](https://github.com/triggerdotdev/docker)

```bash
git clone https://github.com/triggerdotdev/docker
cd docker
```

2. Run the start script and follow the prompts

```bash
./start.sh # hint: you can append -d to run in detached mode
```

#### Manual

Alternatively, you can follow these manual steps after cloning the docker repo:

1. Create the `.env` file

```bash
cp .env.example .env
```

2. Generate the required secrets

```bash
echo MAGIC_LINK_SECRET=$(openssl rand -hex 16)
echo SESSION_SECRET=$(openssl rand -hex 16)
echo ENCRYPTION_KEY=$(openssl rand -hex 16)
echo PROVIDER_SECRET=$(openssl rand -hex 32)
echo COORDINATOR_SECRET=$(openssl rand -hex 32)
```

3. Replace the default secrets in the `.env` file with the generated ones

4. Run docker compose to start the services

```bash
. lib.sh # source the helper function
docker_compose -p=trigger up
```

### Tunnelling

You will need to expose the webapp to the internet. You can use Ngrok for this. If you already have a working reverse proxy setup and a domain, you can skip to the last step.

1. Start Ngrok. You may get prompted to sign up - it's free.

```bash
./tunnel.sh
```

2. Copy the domain from the output, for example: `1234-42-42-42-42.ngrok-free.app`

3. Uncomment the `TRIGGER_PROTOCOL` and `TRIGGER_DOMAIN` lines in the `.env` file. Set it to the domain you copied.

```bash
TRIGGER_PROTOCOL=https
TRIGGER_DOMAIN=1234-42-42-42-42.ngrok-free.app
```

4. Quit the start script and launch it again, or run this:

```bash
./stop.sh && ./start.sh
```

### Registry setup

If you want to deploy v3 projects, you will need access to a Docker registry. The [CLI deploy](/cli-deploy) command will push the images, and then the worker machine can pull them when needed. We will use Docker Hub as an example.

1. Sign up for a free account at [Docker Hub](https://hub.docker.com/)

2. Edit the `.env` file and add the registry details

```bash
DEPLOY_REGISTRY_HOST=docker.io
DEPLOY_REGISTRY_NAMESPACE=<your_dockerhub_username>
```

3. Log in to Docker Hub both locally and your server. For the split setup, this will be the worker machine. You may want to create an [access token](https://hub.docker.com/settings/security) for this.

```bash
docker login -u <your_dockerhub_username> docker.io
```

4. Required on some systems: Run the login command inside the `docker-provider` container so it can pull deployment images to run your tasks.

```bash
docker exec -ti \
  trigger-docker-provider-1 \
  docker login -u <your_dockerhub_username> docker.io
```

5. Restart the services

```bash
./stop.sh && ./start.sh
```

6. You can now deploy v3 projects using the CLI with these flags:

```
npx trigger.dev@latest deploy --self-hosted --push
```

## Option 2: Split services

With this setup, the webapp will run on a different machine than the worker components. This allows independent scaling of your workload capacity.

### Webapp setup

All steps are the same as for a single server, except for the following:

1. **Startup.** Run the start script with the `webapp` argument

```bash
./start.sh webapp
```

2. **Tunnelling.** This is now _required_. Please follow the [tunnelling](/open-source-self-hosting#tunnelling) section.

### Worker setup

1. **Environment variables.** Copy your `.env` file from the webapp to the worker machine:

```bash
# an example using scp
scp -3 root@<webapp_machine>:docker/.env root@<worker_machine>:docker/.env
```

2. **Startup.** Run the start script with the `worker` argument

```bash
./start.sh worker
```

3. **Tunnelling.** This is _not_ required for the worker components.

4. **Registry setup.** Follow the [registry setup](/open-source-self-hosting#registry-setup) section but run the last command on the worker machine - note the container name is different:  

```bash
docker exec -ti \
  trigger-worker-docker-provider-1 \
  docker login -u <your_dockerhub_username> docker.io
```

## Additional features

### Large payloads

By default, payloads over 512KB will be offloaded to S3-compatible storage. If you don't provide the required env vars, runs with payloads larger than this will fail.

For example, using Cloudflare R2:

```bash
OBJECT_STORE_BASE_URL="https://<bucket>.<account>.r2.cloudflarestorage.com"
OBJECT_STORE_ACCESS_KEY_ID="<r2 access key with read/write access to bucket>"
OBJECT_STORE_SECRET_ACCESS_KEY="<r2 secret key>"
```

Alternatively, you can increase the threshold:

```bash
# size in bytes, example with 5MB threshold
TASK_PAYLOAD_OFFLOAD_THRESHOLD=5242880
```

### Version locking

There are several reasons to lock the version of your Docker images:
- **Backwards compatibility.** We try our best to maintain compatibility with older CLI versions, but it's not always possible. If you don't want to update your CLI, you can lock your Docker images to that specific version.
- **Ensuring full feature support.** Sometimes, new CLI releases will also require new or updated platform features. Running unlocked images can make any issues difficult to debug. Using a specific tag can help here as well.

By default, the images will point at the latest versioned release via the `v3` tag. You can override this by specifying a different tag in your `.env` file. For example:

```bash
TRIGGER_IMAGE_TAG=v3.0.4
```

### Auth options

By default, magic link auth is the only login option. If the `EMAIL_TRANSPORT` env var is not set, the magic links will be logged by the webapp container and not sent via email.

Depending on your choice of mail provider/transport, you will want to configure a set of variables like one of the following:

##### Resend:
```bash
EMAIL_TRANSPORT=resend
FROM_EMAIL=
REPLY_TO_EMAIL=
RESEND_API_KEY=<your_resend_api_key>
```

##### SMTP

Note that setting `SMTP_SECURE=false` does _not_ mean the email is sent insecurely.
This simply means that the connection is secured using the modern STARTTLS protocol command instead of implicit TLS.
You should only set this to true when the SMTP server host directs you to do so (generally when using port 465)

```bash
EMAIL_TRANSPORT=smtp
FROM_EMAIL=
REPLY_TO_EMAIL=
SMTP_HOST=<your_smtp_server>
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=<your_smtp_username>
SMTP_PASSWORD=<your_smtp_password>
```

##### AWS Simple Email Service

Credentials are to be supplied as with any other program using the AWS SDK.
In this scenario, you would likely either supply the additional environment variables `AWS_REGION`, `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` or, when running on AWS, use credentials supplied by the EC2 IMDS.

```bash
EMAIL_TRANSPORT=aws-ses
FROM_EMAIL=
REPLY_TO_EMAIL=
```

All email addresses can sign up and log in this way. If you would like to restrict this, you can use the `WHITELISTED_EMAILS` env var. For example:

```bash
# every email that does not match this regex will be rejected
WHITELISTED_EMAILS="^(authorized@yahoo\.com|authorized@gmail\.com)$"
```

It's currently impossible to restrict GitHub OAuth logins by account name or email like above, so this method is _not recommended_ for self-hosted instances. It's also very easy to lock yourself out of your own instance.

<Warning>Only enable GitHub auth if you understand the risks! We strongly advise you against this.</Warning>

Your GitHub OAuth app needs a callback URL `https://<your_domain>/auth/github/callback` and you will have to set the following env vars:

```bash
AUTH_GITHUB_CLIENT_ID=<your_client_id>
AUTH_GITHUB_CLIENT_SECRET=<your_client_secret>
```

### Checkpoint support

<Warning>
  This requires an _experimental Docker feature_. Successfully checkpointing a task today, does not
  mean you will be able to restore it tomorrow. Your data may be lost. You've been warned!
</Warning>

Checkpointing allows you to save the state of a running container to disk and restore it later. This can be useful for
long-running tasks that need to be paused and resumed without losing state. Think fan-out and fan-in, or long waits in email campaigns.

The checkpoints will be pushed to the same registry as the deployed images. Please see the [registry setup](#registry-setup) section for more information.

#### Requirements

- Debian, **NOT** a derivative like Ubuntu
- Additional storage space for the checkpointed containers

#### Setup

Underneath the hood this uses Checkpoint and Restore in Userspace, or [CRIU](https://github.com/checkpoint-restore/criu) in short. We'll have to do a few things to get this working:

1. Install CRIU

```bash
sudo apt-get update
sudo apt-get install criu
```

2. Tweak the config so we can successfully checkpoint our workloads

```bash
mkdir -p /etc/criu

cat << EOF >/etc/criu/runc.conf
tcp-close
EOF
```

3. Make sure everything works

```bash
sudo criu check
```

3. Enable Docker experimental features, by adding the following to `/etc/docker/daemon.json`

```json
{
  "experimental": true
}
```

4. Restart the Docker daemon

```bash
sudo systemctl restart docker
```

5. Uncomment `FORCE_CHECKPOINT_SIMULATION=0` in your `.env` file. Alternatively, run this:

```bash
echo "FORCE_CHECKPOINT_SIMULATION=0" >> .env
```

6. Restart the services

```bash
# if you're running everything on the same machine
./stop.sh && ./start.sh

# if you're running the worker on a different machine
./stop.sh worker && ./start.sh worker
```

## Updating

Once you have everything set up, you will periodically want to update your Docker images. You can easily do this by running the update script and restarting your services:

```bash
./update.sh
./stop.sh && ./start.sh
```

Sometimes, we will make more extensive changes that require pulling updated compose files, scripts, etc from our docker repo:

```bash
git pull
./stop.sh && ./start.sh
```

Occasionally, you may also have to update your `.env` file, but we will try to keep these changes to a minimum. Check the `.env.example` file for new variables.

### From beta

If you're coming from the beta CLI package images, you will need to:
- **Stash you changes.** If you made any changes, stash them with `git stash`.
- **Switch branches.** We moved back to main. Run `git checkout main` in your docker repo.
- **Pull in updates.** We've added a new container for [Electric](https://github.com/electric-sql/electric) and made some other improvements. Run `git pull` to get the latest updates.
- **Apply your changes.** If you stashed your changes, apply them with `git stash pop`.
- **Update your images.** We've also published new images. Run `./update.sh` to pull them.
- **Restart all services.** Run `./stop.sh && ./start.sh` and you're good to go.

In summary, run this wherever you cloned the docker repo:

```bash
# if you made changes
git stash

# switch to the main branch and pull the latest changes
git checkout main
git pull

# if you stashed your changes
git stash pop

# update and restart your services
./update.sh
./stop.sh && ./start.sh
```

## Troubleshooting

- **Deployment fails at the push step.** The machine running `deploy` needs registry access:

```bash
docker login -u <username> <registry>
# this should now succeed
npx trigger.dev@latest deploy --self-hosted --push
```

- **Prod runs fail to start.** The `docker-provider` needs registry access:

```bash
# single server? run this:
docker exec -ti \
  trigger-docker-provider-1 \
  docker login -u <your_dockerhub_username> docker.io

# split webapp and worker? run this on the worker:
docker exec -ti \
  trigger-worker-docker-provider-1 \
  docker login -u <your_dockerhub_username> docker.io
```

## CLI usage

This section highlights some of the CLI commands and options that are useful when self-hosting. Please check the [CLI reference](/cli-introduction) for more in-depth documentation.

### Login

To avoid being redirected to the [Trigger.dev Cloud](https://cloud.trigger.dev) login page when using the CLI, you can specify the URL of your self-hosted instance with the `--api-url` or `-a` flag. For example:

```bash
npx trigger.dev@latest login -a http://trigger.example.com
```

Once you've logged in, the CLI will remember your login details and you won't need to specify the URL again with other commands.

#### Custom profiles

You can specify a custom profile when logging in. This allows you to easily use the CLI with our cloud product and your self-hosted instance at the same time. For example:

```
npx trigger.dev@latest login -a http://trigger.example.com --profile my-profile
```

You can then use this profile with other commands:

```
npx trigger.dev@latest dev --profile my-profile
```

To list all your profiles, use the `list-profiles` command:

```
npx trigger.dev@latest list-profiles
```

#### Verify login

It can be useful to check you have successfully logged in to the correct instance. You can do this with the `whoami` command, which will also show the API URL:

```bash
npx trigger.dev@latest whoami

# with a custom profile
npx trigger.dev@latest whoami --profile my-profile
```

### Deploy

On [Trigger.dev Cloud](https://cloud.trigger.dev), we build deployments remotely and push those images for you. When self-hosting you will have to do that locally yourself. This can be done with the `--self-hosted` and `--push` flags. For example:

```
npx trigger.dev@latest deploy --self-hosted --push
```

### CI / GitHub Actions

When running the CLI in a CI environment, your login profiles won't be available. Instead, you can use the `TRIGGER_API_URL` and `TRIGGER_ACCESS_TOKEN` environment 
variables to point at your self-hosted instance and authenticate.

For more detailed instructions, see the [GitHub Actions guide](/github-actions).


## Telemetry

By default, the Trigger.dev webapp sends telemetry data to our servers. This data is used to improve the product and is not shared with third parties. If you would like to opt-out of this, you can set the `TRIGGER_TELEMETRY_DISABLED` environment variable in your `.env` file. The value doesn't matter, it just can't be empty. For example:

```bash
TRIGGER_TELEMETRY_DISABLED=1
```
